immorall Posted October 24, 2006 Share Posted October 24, 2006 We must be doing this the hard way or something. Basically what we want to accomplish is to have a sub-user in our domain to be able to do almost anything on the LOCAL machine. This includes changing usernames, installing software, changing IPs, installing drivers, changing computernames, etc.. Anything that a LOCAL Administrator would be able to do. However, we dont want that sub-user to be a domain admin and have domain admin rights. Before we used to just seperate them. Give the LOCAL Administrator account name and password to the user who needs to do the tasks on the local machine and then have the domain admin to perform the tasks you can't do as a Local Administrator. Well, this worked out fine until, if you read in my last post yesterday, the Local Administrator account got compromised, and we were trying to figure out some way to change the Local Administrator account on hundreds of machines. I got some good replies but they all involve using scripts. For one, scripts arent my strong suit and two, supposedely the scripts can be a security problem. There has to be some better way of delegating these tasks. Link to comment Share on other sites More sharing options...
Ctrl-X Posted October 24, 2006 Share Posted October 24, 2006 If this is an Active Directory domain, you can easily deploy a Group Policy Object to add this domain user to the local Administrators group on all workstations. Link to comment Share on other sites More sharing options...
immorall Posted October 24, 2006 Author Share Posted October 24, 2006 Ok, how and where do you do that. I have looked several times in group policy and cant find an option for that. Link to comment Share on other sites More sharing options...
BlkCrowe Posted October 24, 2006 Share Posted October 24, 2006 Create a domain group called something like "Local Admins".Open the GPMC and create a new GPO (or edit an existing GPO).Navigate to Computer Configuration/Windows Settings/Security/Restricted GroupsRight Click. Select "Add Group..."For Group Name, type "Administrators" and click "OK".Add the following members to this Restricted Group: DOMAIN\Domain Admins DOMAIN\Local AdminsClick OK.Link the GPO to the appropriate OU.Close the GPMC.Tell your boss it will take 2 days to complete, then go back to playing Solitaire. Link to comment Share on other sites More sharing options...
immorall Posted October 24, 2006 Author Share Posted October 24, 2006 Alright, thanks for all your help. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now